On The Listening Post this week: As China and Russia attempt to limit the use of VPNs, we examine the repercussions for media freedom online.
Plus, police vs the press in Uganda.
The great firewall update: Clamping down on VPNs Russia and China have both recently taken action against the use of VPNs, virtual private networks.
Their new approach requires the support of companies like Apple, which has obeyed an order to remove VPN apps from its Chinese App store.
Russia has a more open internet than China, but it has just passed a new law targeting VPNs and other proxy servers.
Contributors: Eva Galperin, director of cyber security, Electronic Frontier Foundation Sunday Yokubaitis, president, Golden Frog VPN Ying Chan, director, Journalism and Media Studies Centre, University of Hong Kong Malavika Jayaram, executive director, Digital Asia Hub On our radar: Turkish journalists both inside and outside the country bear the brunt of their government’s media crackdown.
Two journalists have been murdered in the space of two days on the island of Mindanao in the Philippines, in separate drive-by shootings.
Al Jazeera’s future in Israel is in jeopardy after the Israeli government announced its decision to shut down the network’s Jerusalem bureau.
The early years of current President Yoweri Museveni’s 31-year tenure saw the opening up of the country’s media.
In recent years, however, things have begun to change, with the government enacting a string of laws that have made the lives of journalists in Uganda increasingly difficult, and have had a chilling effect on reporting.
On The Listening Post this week: As China and Russia attempt to limit the use of VPNs, we examine the repercussions for media freedom online.
Data Breach at UC Health hospital may impact 4,721 sufferers.
Daniel Drake Center for Post-Acute Care, part of six-hospital UC Health Hospital in the region of Cincinnati, is reporting that one of its workers accessed patient medical records as a data breach over a 2-year period without the process of authorization.
In June, the UC health Hospital privacy office learned of the data breach.
Now, Daniel Drake Center is notifying 4,721 sufferers about potential exposure of their data, and it is offering a year of credit monitoring and identity theft protection services from Experian.
The center isn’t revealing how the worker was capable to access records for an extended period of time without being caught, nor did it say how it learned about the data breach.
Many healthcare agencies typically learn that a breach has occurred through notifications from law enforcement agencies that may be investigating one breach and finding that other organizations also have been affected.
Daniel Drake Center now is executing software to regularly and proactively monitor access to electronic health records (EHRs) and also is conducting educational sessions with staff covering suitable access to protected health information and patient confidentiality.
Both initiatives are usually done following a breach, often at the suggestion of the HHS Office for Civil Rights, which enforces the breach notification rule.
UC Health refused to give additional details about the incident.
(TNS) — The first step in protecting a business from cybersecurity attacks is educating employees because nearly all breaches result from a worker clicking on a phishing email or an inappropriate website, Information Technology experts said Thursday.
Ninety to 95 percent of it is through employees,” said David DeArmond, owner of Strix Louisiana, a business productivity and IT services firm.
Brandon Reeves, CEO of EtherMon LLC, an IT cybersecurity services firm, was the other.
Businesses can protect themselves by securing their networks with some sort of firewall, monitoring information flowing into and out of the network; installing anti-virus software on computers and smartphones; and backing up data.
DeArmond said the typical system backs up data every 30 minutes, so if there is a ransomware attack — malicious software that blocks a user’s access to data until a payment is made — a business loses very little of its data.
Bad guys are looking for the path of least resistance.
However, small businesses as a group are a huge target, DeArmond said.
They don’t have controls in place or spend much on security, so they don’t offer much in the way of resistance.
An EtherMon employee posed as a FedEx worker delivering a package to a hospital senior executive.
Google is helping people with “free” services, but Google gets the right to users’ data.
WannaCry Helps Push Cyber-Crime Attacks to New Heights in 2Q17.
The Q2 2017 ThreatMetrix Cybercrime Report was compiled using data on actual attacks that occurred from April to June 2017, as detected by the ThreatMetrix Digital Identity Network, which analyzes approximately 2 billion transactions per month.
In the second quarter of 2017, ThreatMetrix detected 144 million attacks, nearly doubling the attack volume detected in the second quarter of 2016.
Of note, ThreatMetrix saw a large spike in attack volume following the WannaCry ransomware attack in mid-May as attackers aimed to take advantage of consumers.
In this slide show, eWEEK takes a look at some of the highlights of the latest ThreatMetrix Cybercrime Report.
Attackers are increasingly using stolen identities to create new accounts that are then used for fraudulent transactions.
Device spoofing was the top attack vector in the second quarter, according to ThreatMetrix.
With a device spoofing attack, a hacker changes browser and other device settings to change a device’s identity.
On the dark web, cyber-criminals can buy and sell just about type of personal information.
eWEEK looks at how hackers make their money and how much stolen data is worth.
Feds file fraud charge in Columbia Sportswear hacking case.
Federal prosecutors sent a message to would-be hackers Thursday, filing a single count of computer fraud against Michael Leeper, the former Columbia Sportswear information technology manager who allegedly continued to log in to the company’s computer system for years after he quit.
Prosecutors claim he continued to access Columbia’s system for more than two years with the hopes of commercial gain.
In March, Columbia filed a civil lawsuit against Leeper and Denali Advanced Integration, his new employer, claiming Leeper hacked into the Columbia system hundreds of time.
Columbia claims it terminated Leeper’s regular network account.
Leeper denied any wrongdoing and claimed Columbia knew he was getting into the company’s system.
He also argued that his hacking had not caused any harm to the Portland outdoor apparel and footwear company.
The civil case is pending.
Sam Kaufman, the Portland attorney representing Leeper, declined comment on the criminal case, as did Columbia officials.
— Jeff Manning 503-294-7606, email@example.com
Leaked email shows HBO negotiating with hackers.
Hackers this week released an email from HBO in which the company expressed willingness to pay them $250,000 as part of a negotiation over data swiped from HBO’s servers.
The executive asked for a 1-week delay and said HBO was willing to make a “good faith” payment of $250,000, calling it a “bug bounty” reward for IT professionals rather than a ransom.
HBO declined to comment.
A person close to the investigation confirmed the authenticity of the email, but said it was an attempt to buy time and assess the situation.
The same hackers have subsequently released two dumps of HBO material and demanded a multi-million dollar ransom. “They’re being extorted.
If it was a bug bounty, it’d be on the up and up.”
The first HBO hack became publicly known on July 31.
But paying ransoms to hackers can be dangerous because it shows that being a bad-guy hacker is a good business, said cybersecurity expert Oren Falkowitz, CEO of Redwood City, California-based Area 1 Security.
FTC Blogs Review Data Security, Data Breach Prevention Basics.
Starting with the FTC’s 10 Start with Security Principles, the blogs will “take a deeper dive into steps companies can take to safeguard sensitive data in their possession,” FTC Bureau of Consumer Protection Acting Director Thomas B. Pahl wrote in the first post.
“We’ve listened to the day-to-day challenges you face in protecting sensitive information and have learned from the practical approaches you’re taking to address data security challenges.” The second blog post reviewed how organizations can sensibly control data access.
“The better practice is to put sensible controls in place to allow access to employees who need it to do their jobs, while keeping others out.” Limiting administrative access will also be essential in data breach prevention, the blog post stated.
For example, a company should not have the same login credentials for all employees.
HIPAA regulations require the “minimum necessary” approach, which states that covered entities must “make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.” The first FTC blog post discussed how the agency will occasionally investigate data security issues that have occurred within companies, but some cases are closed without law enforcement.
“Sometimes a company’s practices may raise initial concerns, but there are other factors that suggest law enforcement wouldn’t be in the public interest,” he continued.
READ MORE: Why Businesses Must Adhere to FTC Act and HIPAA Privacy Rule Healthcare organizations could potentially be affected by FTC investigations into data security issues.
Should they have authority if the OCR under HHS expressly has the authority?” Covered entities and their business associates should ensure they are adhering to HIPAA requirements in terms of PHI security, and are properly documenting their policies and procedures.
From there, it should be easier to show investigating agencies – whether OCR or FTC – that the proper measures were in place, even if a data security incident occurs.
ICO fines TalkTalk £100k for data breach.
The regulator said TalkTalk had breached the Data Protection Act because it didn’t safeguard the huge amounts of data it held about its customers from staff.
Employees were able to imporperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.
The investigation revealed it was actually employees of Wipro, a third party company working with TalkTalk to resolve complaints about network coverage, that were able to access and swipe the data.
The ICO found three Wipro accounts that had siphoned off the data, although 40 employees in total had access to the information. “TalkTalk may consider themselves to be the victims here,” Information Commissioner Elizabeth Denham said. “But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.
TalkTalk should have known better and they should have put their customers first.”
The ICO said TalkTalk’s actions breached the seventh principle of the Data Protection Act because it didn’t have the appropriate technical or operational safeguards in place to prevent employees from accessing the confidential information. “This incident highlights why it is essential for companies to understand exactly how users are interacting with the network and data,” Nir Polak, CEO at Exabeam.
Three of the most popular version control systems (VCSs) used in managing source code projects are vulnerable to a flaw that allows an attacker to run code on a victim’s platform, potentially leading to the theft of source code or the hijacking of the underlying machine.
Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an “ssh://” link.
Social engineering not necessary to exploit the flaw Schneeweisz says that a URL in the form of “ssh://-oProxyCommand=some-command” allows an attacker to execute commands on the computer of the user performing the clone operation. “While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a more sneaky way when it comes to Git submodules,” Schneeweisz explains.
When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger,” the researcher added.
Vulnerability affects Git, Hg, SVN, and CVS The issue was initially discovered in Git LFS, and later in GitLab’s Git implementation (CVE-2017-12426).
Yesterday, the company went public with its discovery.
Out of all platforms, Schneeweisz says that Subversion is the most vulnerable because the platform doesn’t detect HTTP redirects in repository cloning operations. “SVN follows HTTP 301 redirects […].
As a result, an innocent looking HTTP URL can be used to trigger a Command Execution with a 301 redirect.”
Data Breach Class Actions: Is a Risk of Future Harm Enough to Create Standing?.
On August 1, the D.C.
Circuit Court of Appeals joined a growing number of federal courts holding the risk of future harm is enough to allow a class action to proceed following a data breach.
The district court initially dismissed the class action, holding that alleged increased risk of future identity theft was not enough to give the plaintiffs standing to bring the class action suit.
Circuit held the plaintiffs alleged a substantial risk of identity theft and emphasized that a risk of future harm was enough to establish standing.
The court determined that the type of personal information stolen from CareFirst was enough to create a material risk of medical identity theft.
On one hand, a company offering credit monitoring services to victims of a data breach may be inadvertently providing standing to a potential class action.
Given the split among federal courts it seems likely the Supreme Court will have to address whether the risk of future identity theft is enough to give data breach plaintiffs standing.
The key takeaways: There is a growing trend in federal courts allowing data breach victims to bring class actions claims based on the risk of future harm.
The only Michigan court to address this issue held the risk of future harm was not enough to support a class action claim following a data breach.